Access Control & Security Systems

Biometrics in 2006

Jan 1, 2006 12:00 PM, By Michael Fickes

At the beginning of the 20th century, the federal government decided that U.S. Navy ships should be made out of steel. Up until that time, the steel industry looked promising, but no one wanted to take a chance on using the material. With the government's decision to replace its wooden navy ships with ones constructed from steel made to standardized specifications, steel sealed its future as a major commercial construction material.

History is repeating itself a century later related to the 21st century technology of biometrics. Three years ago, the U.S. government decided to adopt biometric authentication systems for Homeland security and the prevention of identity theft. That decision led to an effort to develop specification standards for government agencies to use in requesting proposals for biometric technology — and will eventually translate into wider use of biometrics in the corporate world.

According to Frances Zelazny, a spokesperson for Identix Inc., a biometrics firm based in Minnetonka, Minn., a focus on standards is necessary to spur widespread government adoption of biometrics. “Governments around the world plan to install applications that will be used by seven to 10 million people to access government facilities in the United States and elsewhere,” she says.

Zelazny notes that 27 designated visa waiver countries will soon require travelers visiting the United States to embed facial biometrics on their passports. In addition, the European Union has moved to require fingerprint biometrics on passports issued to the international travelers among its 460 million people. In October, Zelazny continues, any U.S. government employee or contractor with access to federal facilities must have an identification card containing a biometric.

“Some of these government applications will push biometrics into the corporate world,” Zelazny says. “A [government contractor's] employee with access to federal facilities will have a biometric card. If I were the corporate security director of that large government contractor, my people would have these biometric cards. So why would I not use biometrics for access control in my facility?”

As long as these new biometric technologies can interoperate with each other and with other security technologies, they will become more popular. But interoperability will require that biometric vendors adhere to the standards employed by government systems.

In short, government adoption will prove that biometrics can fulfill a security need, while government-driven standards will ensure that one vendor's system will be able to operate with other vendors' systems. Both sides of the equation will play into further commercial adoption.

The importance of standards

Over the years, standardized technologies in the security industry have proven difficult to come by. Today, interoperability is spotty, and unpleasant surprises are the rule. The standards development effort in the biometric industry aims to prevent such problems.

“Most of the standards being developed now have to do with interoperability,” Zelazny says. “Think of the phone jack in your wall. Every phone jack is the same shape. No matter what phone you buy, you can plug it into any wall jack, and the phone will work or interoperate with the wall connection.”

On the other hand, proprietary systems would enable vendors to raise prices. Standards force vendors to compete by balancing price and quality better, or at least differently, than the competition.

“Standards are important to large corporations where one office uses one biometric vendor and another office uses another,” Zelazny says. “If the two comply with standards, they can interoperate.”

Another reason for a security director to care about standards relates to the volatility of technology industries. If a corporation standardizes on one vendor's technology and that vendor goes out of business, what does the security director do when it comes time to replace aging devices?

The good news is that the U.S. government's need for biometric technologies is not that different from private industry's needs, but on a much larger scale. In the case of the government, it is necessary to authenticate millions of cardholders. Standards development aims to facilitate this authentication. If and when vendors adopt these standards, the benefits will flow to government security users as well as commercial security installations.

What are the standards?

According to Donald Waymire, a senior associate in the technology consulting practice of Booz Allen Hamilton, McLean, Va., biometric vendors, government agencies, academia and research organizations are developing 22 to 24 national standards and more than 30 international standards.

Standards groups overseeing this work include the American National Standards Institute (ANSI) and the InterNational Committee for Information Technology Standards (INCITS) on the national side and the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) on the international side.

“All standards are of importance to the biometrics market and are driven by the marketplace needs,” Waymire says.

So what are the standards? Waymire groups the standards into eight categories:

Biometric Technical Interfaces: This category standardizes the interfaces and interactions between one biometric system and another and between system components and sub-systems. This category also deals with the use of security mechanisms to protect stored data and data transferred between systems.

Biometric Data Interchange Formats: These standards cover the content, meaning and representation of biometric data interchange formats for various kinds of biometric systems including fingerprint, iris, hand geometry and facial.

Data Quality Standards: This standard considers the means by which the qualities of a biometric sample will be expressed, interpreted and measured.

Biometric Application Profiles: This area sets standards for various biometric applications, such as point-of-sale, logical and physical access control, and Department of Defense applications.

Biometric Performance Testing and Reporting: Committees working in this area aim to standardize biometric performance metric definitions and calculations.

Multibiometric Fusion Methods: When two or more layers of biometrics are used, transactional data must be combined or fused to produce an authentication result. This standard deals with how different biometric modalities may be fused.

Cross Jurisdictional and Societal Issues: This area looks at standardizing technical solutions to societal issues, such as privacy, related to biometric implementation.

A de facto standard

Some standardization has already occurred in the outputs that fingerprint readers, hand geometry readers and iris readers send to access control systems. “Most of the leading biometric brands can send Wiegand outputs,” says Peter Boriskin, director of product management for access control with Lexington, Mass.-based Tyco Fire and Security. “Most, if not all, access control companies and security management systems can take Wiegand signals. So, in a sense, there is a de facto standard in this area.”

On the other hand, some systems are hampered by the lack of standards in other areas. “Without giving names, there is an access control system on the market now that reads cards and fingerprints,” Boriskin says. “If you present a valid card to the reader and a valid fingerprint, you can get in. Trouble is, the card and fingerprint do not have to be from the same person. This is called a print mismatch. There are a couple of mismatch issues that should be taken up by standards committees.”

Another standard that Boriskin recommends for consideration by standards committees covers the duress capabilities of systems. Suppose that an employee enrolls his or her pointer finger and thumb. The finger is used generally to get inside the building. But if someone is forcing the employee into a facility, using the thumbprint can open the door while signaling for help from security. “Not every Wiegand stream has a bit or a stream that can be associated with that kind of application,” Boriskin says.

Balancing standards with today's corporate needs

Standards will eventually make it possible to evaluate biometric purchasing decisions. For the time being, however, standards will sometimes require corporate security directors to balance security needs against standards.

“I think that standards will provide important benefits,” says Bill Spence, strategic business unit manager for biometrics at Recognition Systems Inc., Campbell, Calif. “But that doesn't mean you should accept standards without question. Standards may occasionally drive manufacturers to the lowest common denominator — which means that something like performance might be given up in the process.”

Suppose, Spence continues, that a security director wants to use a minutiae-based template. The data from a standards-compliant system may not provide the security performance that the data from a proprietary system would provide. The problem may be in accuracy or a longer verification time.

Faced with a choice between standardized systems and proprietary systems, a security director will have to choose by comparing corporate security performance requirements with the capabilities of each system.

They will ultimately have to make the best decision possible in an imperfect world.

From 1997-2001, INCITS operated under the name Accredited Standards Committee NCITS, National Committee for Information Technology Standards. From 1961- 1996, NCITS operated under the name Accredited Standards Committee X3, Information Technology.